CVE-2026-32301 is a critical SSRF vulnerability affecting Centrifugo, an open-source real-time messaging server, in versions before 6.7.0. The flaw exists when Centrifugo is configured to fetch JSON Web Key Sets (JWKS) from a dynamic URL that incorporates template variables such as {{tenant}}. An attacker can exploit this by crafting a JWT with malicious issuer (iss) or audience (aud) claims that are interpolated into the JWKS URL before the token's signature is verified. Because the server performs the HTTP request to fetch the JWKS before validating the token, it can be tricked into making requests to arbitrary, attacker-controlled endpoints. This SSRF can be leveraged to access internal network resources, exfiltrate sensitive data, or perform further attacks against internal systems. The vulnerability requires no authentication or user interaction and affects confidentiality and integrity, though it does not directly impact availability. The issue is resolved in Centrifugo 6.7.0 by fixing the JWKS URL interpolation logic to prevent untrusted input from controlling outbound requests. Despite no known exploits in the wild, the high CVSS score (9.3) reflects the ease of exploitation and potential impact. Organizations using Centrifugo with dynamic JWKS URLs should prioritize upgrading and reviewing their configurations to mitigate risk.

The SSRF vulnerability allows unauthenticated attackers to induce vulnerable Centrifugo servers to make arbitrary HTTP requests to attacker-controlled or internal network destinations. This can lead to unauthorized access to internal services, exposure of sensitive information, and potential pivoting within an organization's network. Confidentiality is highly impacted as attackers can retrieve data from internal endpoints that are otherwise inaccessible externally. Integrity is partially affected since attackers can influence the JWKS fetching process, potentially undermining token validation trust. Availability is not directly impacted. Given Centrifugo's role in real-time messaging, exploitation could disrupt secure communications or enable further attacks on connected systems. Organizations relying on dynamic JWKS URLs are at particular risk. The vulnerability's ease of exploitation without authentication or user interaction increases the threat level globally, especially in environments where Centrifugo is deployed in sensitive or internal network contexts.

1. Upgrade Centrifugo to version 6.7.0 or later, where this vulnerability is fixed. 2. Avoid using dynamic JWKS endpoint URLs with template variables that incorporate untrusted input such as iss or aud claims. 3. Implement strict validation and sanitization of any variables used in JWKS URL construction to prevent injection of malicious values. 4. Restrict outbound HTTP requests from Centrifugo servers to trusted endpoints using network-level controls such as firewall rules or egress filtering. 5. Monitor logs for unusual outbound requests from Centrifugo instances, especially to unexpected or external IP addresses. 6. Conduct internal network segmentation to limit the impact of SSRF-induced requests reaching sensitive internal services. 7. Review JWT validation workflows to ensure token signature verification occurs before any network requests based on token claims. 8. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) that can detect and block SSRF attempts targeting Centrifugo.